[milters] Archive

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------
Michael Elliott wrote:
> Anthony Howe wrote:
>> This is problematic. Conside that most pump & dump image based spam uses
>> a CID: there are no filenames to speak off, and the cid: will probably
>> change between runs or every message even (you don't care about CPU when
>> you're using someone else's computer).
>>
>
> ... That and many other good reasons kind of kill this idea.
I wouldn't count it out just yet. I think there might be a variant on a
theme possible here. Just use something other than file names. As I
mentioned earlier, it might be possible to do this using the sender's
address since receiving multiple copies of the same attachment from
different senders is either a) spam/virus, b) a chain letter, c) poor
judgement by sender.
Even better still might be to record two records using the IP address of
the connecting client:
3A: key={ client-IP, MD5 signature of attachment }
value={ hit counter, timestamps... }
3B: key={ MD5 signature of attachment }
value={ hit counter, timestamps... }
I'm pretty sure a heuristic could be developed to filter using some
variant of the above and no-PTR or IP-in-PTR sources (ie. looks dynamic,
smells dynamic, or DNS challenged).
Anyway, you've sparked some thought in this vein and I think it just
needs more fleshing out and tweaking.
Your milter-abook idea is OK. I'll have to think on it. I prefer
something though along your original thought since its a more
independent technique.
--
Anthony C Howe Skype: SirWumpus SnertSoft
+33 6 11 89 73 78 AIM: SirWumpus Sendmail Milter Solutions
http://www.snert.com/ ICQ: 7116561
http://www.snertsoft.com/